rubo77 / log4j_checker_beta Goto Github PK
View Code? Open in Web Editor NEWa fast check, if your server could be vulnerable to CVE-2021-44228
License: The Unlicense
a fast check, if your server could be vulnerable to CVE-2021-44228
License: The Unlicense
If any app bundles the JVM in their own package, 'java' might not be installed but one such apps could still be vulnerable.
Maybe add find /|grep log4j|grep -v log4js
?
Given an EAR file a.ear containing amongst others eg. a WAR file b.war which again contains a JAR file named c.jar which may contain a repackaged / rebundled version of the susceptible JndiLookup/JndiContextSelector.classes make the script recurse into a.ear to unpack b.war and then c.jar to generate the hashes for comparison of the class files.
Ie. can the script run a recursive, depth-first search to find log4j or the suspected Class files in any packaged EAR/WAR/JAR combination our fellow developers came/come up with when developing and adding dependencies to their application stack of libraries ?
I would like to vote for such a deep inspection feature as I cannot get most other frameworks python3, Go based to run on the Servers for lack of language support.
Many thanks
Getting an error when running the script on MacOS
$ wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash
[INFO] using default hash file. If you want to use other hashes, set another URL as first argument
mktemp: illegal option -- -
usage: mktemp [-d] [-q] [-t prefix] [-u] template ...
mktemp [-d] [-q] [-u] -t prefix
--2021-12-30 12:00:52-- https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/hashes-pre-cve.txt
From the man page
`OPTIONS
The available options are as follows:
-d Make a directory instead of a file.
-q Fail silently if an error occurs. This is useful if a script does not want error output to go to standard error.
-t prefix
Generate a template (using the supplied prefix and TMPDIR if set) to create a filename template.
-u Operate in ``unsafe'' mode. The temp file will be unlinked before mktemp exits. This is slightly better than mktemp(3) but still introduces a race
condition. Use of this option is not encouraged.`
Nice work, but I am missing vulnerable JndiLookup.class sha256sum hashes. Can anybody checkin to this project? Did not find anything on the net (there are hashes for log4j-core-xx.jar files, however available from the Apache repository), but it is pointless here to test on a .class level
2.You might not want to execute the hashing on the production machine /VM (cpu load), so I suggest to add some possibilties to check on a local machine and access the webserver only via ssh and pulling the .jar files to test. This might also circumvent where the webserver is blocked by a firewall for outgoing requests (either wget or curl).
This is handy if you want to work on tmpfs and /tmp is not tmpfs
I added
export TMPDIR="$(pwd)"
just before
dir_temp_hashes=$(mktemp -d -t ${PROGNAME}_XXXXXX)
This should allow you to run log4j_checker_beta.sh from wherever you may have tmpfs and have the temp folder created locally
@whenselm: in #27 you said:
Added one JndiLookup.class hash (which is the recommended quick workaround to remove it if logging is not needed). Otherwise you'll receive false positives. Need to add other JndiLookup.class version hashes and a cmdline argument which hashes to use in main code
What do you mean? How could we enhance this?
I don't know if any RH based distros use DNF but do not have Yum installed. Currently, I do not know of any RH based distro that does not have YUM installed, but I just don't know for sure.
The script fails to find wget - even though I used wget to download it.
I think that is because of a typing error in line 117.
if
[ $(command -v wgdet) ]; then`
I worked around 2 problems:
dir_temp_hashes=$(mktemp -d --suffix _log4jscan)
file_temp_hashes="$dir_temp_hashes/vulnerable.hashes"
if [ -f vulnerable.hashes -a -s vulnerable.hashes ]
then
ok_hashes=1
cp vulnerable.hashes $dir_temp_hashes
information "using cached vulnerable.hashes "
else
information "no vulnerable.hashes cached ... downloading"
ok_hashes=
if [[ -n $SHA256_HASHES_URL && $(command -v wget) ]]; then
wget --max-redirect=0 --tries=2 -O "$file_temp_hashes.in" -- "$SHA256_HASHES_URL"
elif [[ -n $SHA256_HASHES_URL && $(command -v curl) ]]; then
curl --globoff -f "$SHA256_HASHES_URL" -o "$file_temp_hashes.in"
fi
if [[ $? = 0 && -s "$file_temp_hashes.in" ]]; then
cat "$file_temp_hashes.in" | cut -d" " -f1 | sort | uniq > "$file_temp_hashes"
ok_hashes=1
information "Downloaded vulnerable hashes from $SHA256_HASHES_URL"
cp $file_temp_hashes .
fi
fi
and the other thing about the one line thing from find_jar_files
JarArray=($(find_jar_files))
# while read -r jar_file; do
for ((i=0;i<${#JarArray[*]};i++))
....
....
....
done
# done <<<$(find_jar_files)
Sorry I've no time to make a patch file or to clone edit and suggest a pull
Do I need hashes for it to work? If so, where can I download them?
dpkg -l|grep log4j;
should not be dpkg -l|grep log4j|grep -v log4jsj;
?
This takes to much time for me. I am looking for someone I can transfer the ownership of the repository
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.9.2009 (Core)
Release: 7.9.2009
Codename: Core
$ sudo wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash
bash: line 15: information: command not found
Just use a counter instead. This counter could also be shown in the message
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.